From 06762e30ab4b01289f9ada5e3ff15fdd5996f88e Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 7 Sep 2023 22:35:39 -0400 Subject: [PATCH 1/6] New Rule: Reply-to/Sender Mismatch with suspicious TLD --- .../headers_replyto_mismatch_sus_tld.yml | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 detection-rules/headers_replyto_mismatch_sus_tld.yml diff --git a/detection-rules/headers_replyto_mismatch_sus_tld.yml b/detection-rules/headers_replyto_mismatch_sus_tld.yml new file mode 100644 index 00000000000..362d309c759 --- /dev/null +++ b/detection-rules/headers_replyto_mismatch_sus_tld.yml @@ -0,0 +1,91 @@ +name: "Reply-to/Sender Mismatch with suspicious TLD" +description: | + This rule detects a mismatch between the reply-to and the sender email addresses, and one or both of them are from suspicious TLDs +references: + +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + any(headers.reply_to, + .email.email != sender.email.email + and any([.email.domain.tld, sender.email.domain.tld], + + // https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/spam-tlds-ublock.txt + . in ( + "ae", + "agency", + "asia", + "autos", + "bar", + "beauty", + "bid", + "bio", + "biz", + "boats", + "boston", + "boutique", + "buzz", + "cf", + "cfd", + "cn", + "cyou", + "dad", + "dance", + "degree", + "discount", + "esq", + "fit", + "foo", + "fun", + "fyi", + "gdn", + "gq", + "guru", + "hair", + "haus", + "in", + "jp", + "live", + "loan", + "loans", + "makeup", + "market", + "ml", + "mom", + "monster", + "mov", + "name", + "nexus", + "okinawa", + "ooo", + "phd", + "prof", + "pw", + "quest", + "rest", + "review", + "ru", + "sbs", + "skin", + "space", + "surf", + "tk", + "tokyo", + "top", + "uno", + "voto", + "website", + "wiki", + "work", + "wtf", + "xyz", + "zip", + "zone" + ) + ) + ) + ) +tags: + \ No newline at end of file From d675747789cd3cfb9d34d9d0cec0cdde23dcd561 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 7 Sep 2023 22:38:23 -0400 Subject: [PATCH 2/6] Update headers_replyto_mismatch_sus_tld.yml --- detection-rules/headers_replyto_mismatch_sus_tld.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/detection-rules/headers_replyto_mismatch_sus_tld.yml b/detection-rules/headers_replyto_mismatch_sus_tld.yml index 362d309c759..a69f10e606c 100644 --- a/detection-rules/headers_replyto_mismatch_sus_tld.yml +++ b/detection-rules/headers_replyto_mismatch_sus_tld.yml @@ -1,8 +1,6 @@ name: "Reply-to/Sender Mismatch with suspicious TLD" description: | This rule detects a mismatch between the reply-to and the sender email addresses, and one or both of them are from suspicious TLDs -references: - type: "rule" severity: "medium" source: | @@ -87,5 +85,9 @@ source: | ) ) ) -tags: - \ No newline at end of file +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Header analysis" + - "Sender analysis" + From 8304d7debfd173cc90d1c13cc936460428cd933e Mon Sep 17 00:00:00 2001 From: ID Generator Date: Fri, 8 Sep 2023 02:39:26 +0000 Subject: [PATCH 3/6] Auto add rule ID --- detection-rules/headers_replyto_mismatch_sus_tld.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/headers_replyto_mismatch_sus_tld.yml b/detection-rules/headers_replyto_mismatch_sus_tld.yml index a69f10e606c..b387e06af6b 100644 --- a/detection-rules/headers_replyto_mismatch_sus_tld.yml +++ b/detection-rules/headers_replyto_mismatch_sus_tld.yml @@ -91,3 +91,4 @@ detection_methods: - "Header analysis" - "Sender analysis" +id: "a5f5b25a-0b7d-5ecc-8cf8-295a8433bad1" From b6ad8b1152f6b166bc79296583bdd67bcbd28cf9 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 3 Oct 2023 16:51:41 -0400 Subject: [PATCH 4/6] Update headers_replyto_mismatch_sus_tld.yml --- .../headers_replyto_mismatch_sus_tld.yml | 72 +------------------ 1 file changed, 1 insertion(+), 71 deletions(-) diff --git a/detection-rules/headers_replyto_mismatch_sus_tld.yml b/detection-rules/headers_replyto_mismatch_sus_tld.yml index b387e06af6b..a76d468a74a 100644 --- a/detection-rules/headers_replyto_mismatch_sus_tld.yml +++ b/detection-rules/headers_replyto_mismatch_sus_tld.yml @@ -11,77 +11,7 @@ source: | and any([.email.domain.tld, sender.email.domain.tld], // https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/spam-tlds-ublock.txt - . in ( - "ae", - "agency", - "asia", - "autos", - "bar", - "beauty", - "bid", - "bio", - "biz", - "boats", - "boston", - "boutique", - "buzz", - "cf", - "cfd", - "cn", - "cyou", - "dad", - "dance", - "degree", - "discount", - "esq", - "fit", - "foo", - "fun", - "fyi", - "gdn", - "gq", - "guru", - "hair", - "haus", - "in", - "jp", - "live", - "loan", - "loans", - "makeup", - "market", - "ml", - "mom", - "monster", - "mov", - "name", - "nexus", - "okinawa", - "ooo", - "phd", - "prof", - "pw", - "quest", - "rest", - "review", - "ru", - "sbs", - "skin", - "space", - "surf", - "tk", - "tokyo", - "top", - "uno", - "voto", - "website", - "wiki", - "work", - "wtf", - "xyz", - "zip", - "zone" - ) + . in $suspicious_tlds ) ) ) From f80fe4cd11272fea18c0c2031bef329a80ab4798 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 3 Oct 2023 16:53:03 -0400 Subject: [PATCH 5/6] Update headers_replyto_mismatch_sus_tld.yml --- detection-rules/headers_replyto_mismatch_sus_tld.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/headers_replyto_mismatch_sus_tld.yml b/detection-rules/headers_replyto_mismatch_sus_tld.yml index a76d468a74a..cdaa082969e 100644 --- a/detection-rules/headers_replyto_mismatch_sus_tld.yml +++ b/detection-rules/headers_replyto_mismatch_sus_tld.yml @@ -8,8 +8,8 @@ source: | and ( any(headers.reply_to, .email.email != sender.email.email + and .email.domain.domain != sender.email.domain.domain and any([.email.domain.tld, sender.email.domain.tld], - // https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/spam-tlds-ublock.txt . in $suspicious_tlds ) From 9611a3e517c280c98beea720aa4b32c536232478 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 3 Oct 2023 16:58:06 -0400 Subject: [PATCH 6/6] Update headers_replyto_mismatch_sus_tld.yml --- detection-rules/headers_replyto_mismatch_sus_tld.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/detection-rules/headers_replyto_mismatch_sus_tld.yml b/detection-rules/headers_replyto_mismatch_sus_tld.yml index cdaa082969e..e89777480ae 100644 --- a/detection-rules/headers_replyto_mismatch_sus_tld.yml +++ b/detection-rules/headers_replyto_mismatch_sus_tld.yml @@ -9,10 +9,8 @@ source: | any(headers.reply_to, .email.email != sender.email.email and .email.domain.domain != sender.email.domain.domain - and any([.email.domain.tld, sender.email.domain.tld], - // https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/spam-tlds-ublock.txt - . in $suspicious_tlds - ) + and not strings.icontains(sender.display_name, "marketing") + and any([.email.domain.tld, sender.email.domain.tld], . in $suspicious_tlds) ) ) tactics_and_techniques: